| … | |
… | |
| 281 | </dd> |
281 | </dd> |
| 282 | <p></p> |
282 | <p></p> |
| 283 | <dt><strong><a name="item_i_need_to_make_it_setuid_2fsetgid_to_support_utmp_">I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe?</a></strong><br /> |
283 | <dt><strong><a name="item_i_need_to_make_it_setuid_2fsetgid_to_support_utmp_">I need to make it setuid/setgid to support utmp/ptys on my OS, is this safe?</a></strong><br /> |
| 284 | </dt> |
284 | </dt> |
| 285 | <dd> |
285 | <dd> |
| 286 | Likely not. While I honestly try to make it secure, and am probably not |
286 | It should be, starting with release 7.1. You are encouraged to properly |
| 287 | bad at it, I think it is simply unreasonable to expect all of freetype |
287 | install urxvt with privileges necessary for your OS now. |
| 288 | + fontconfig + xft + xlib + perl + ... + rxvt-unicode itself to all be |
|
|
| 289 | secure. Also, rxvt-unicode disables some options when it detects that it |
|
|
| 290 | runs setuid or setgid, which is not nice. Besides, with the embedded perl |
|
|
| 291 | interpreter the possibility for security problems easily multiplies. |
|
|
| 292 | </dd> |
|
|
| 293 | <dd> |
288 | </dd> |
| 294 | <p>Elevated privileges are only required for utmp and pty operations on some |
|
|
| 295 | systems (for example, GNU/Linux doesn't need any extra privileges for |
|
|
| 296 | ptys, but some need it for utmp support). It is planned to mvoe this into |
|
|
| 297 | a forked handler process, but this is not yet done.</p> |
|
|
| 298 | </dd> |
289 | <dd> |
|
|
290 | <p>When rxvt-unicode detects that it runs setuid or setgid, it will fork |
|
|
291 | into a helper process for privileged operations (pty handling on some |
|
|
292 | systems, utmp/wtmp/lastlog handling on others) and drop privileges |
|
|
293 | immediately. This is much safer than most other terminals that keep |
|
|
294 | privileges while running (but is more relevant to urxvt, as it contains |
|
|
295 | things as perl interpreters, which might be ``helpful'' to attackers).</p> |
| 299 | <dd> |
296 | </dd> |
| 300 | <p>So, while setuid/setgid operation is supported and not a problem on your |
297 | <dd> |
| 301 | typical single-user-no-other-logins unix desktop, always remember that |
298 | <p>This forking is done as the very first within main(), which is very early |
| 302 | its an awful lot of code, most of which isn't checked for security issues |
299 | and reduces possible bugs to initialisation code run before main(), or |
| 303 | regularly.</p> |
300 | things like the dynamic loader of your system, which should result in very |
|
|
301 | little risk.</p> |
| 304 | </dd> |
302 | </dd> |
| 305 | <p></p> |
303 | <p></p> |
| 306 | <dt><strong><a name="item_when_i_log_2din_to_another_system_it_tells_me_abou">When I log-in to another system it tells me about missing terminfo data?</a></strong><br /> |
304 | <dt><strong><a name="item_when_i_log_2din_to_another_system_it_tells_me_abou">When I log-in to another system it tells me about missing terminfo data?</a></strong><br /> |
| 307 | </dt> |
305 | </dt> |
| 308 | <dd> |
306 | <dd> |
| … | |
… | |
| 2360 | Add support for a very unobtrusive, plain-looking scrollbar that |
2358 | Add support for a very unobtrusive, plain-looking scrollbar that |
| 2361 | is the favourite of the rxvt-unicode author, having used it for |
2359 | is the favourite of the rxvt-unicode author, having used it for |
| 2362 | many years. |
2360 | many years. |
| 2363 | </dd> |
2361 | </dd> |
| 2364 | <p></p> |
2362 | <p></p> |
| 2365 | <dt><strong><a name="item_shadow">--enable-half-shadow (default: off)</a></strong><br /> |
|
|
| 2366 | </dt> |
|
|
| 2367 | <dd> |
|
|
| 2368 | Make shadows on the scrollbar only half the normal width & height. |
|
|
| 2369 | only applicable to rxvt scrollbars. |
|
|
| 2370 | </dd> |
|
|
| 2371 | <p></p> |
|
|
| 2372 | <dt><strong><a name="item_ttygid">--enable-ttygid (default: off)</a></strong><br /> |
2363 | <dt><strong><a name="item_ttygid">--enable-ttygid (default: off)</a></strong><br /> |
| 2373 | </dt> |
2364 | </dt> |
| 2374 | <dd> |
2365 | <dd> |
| 2375 | Change tty device setting to group ``tty'' - only use this if |
2366 | Change tty device setting to group ``tty'' - only use this if |
| 2376 | your system uses this type of security. |
2367 | your system uses this type of security. |
